Rule: Lambda functions should be in a VPC
This rule states that Lambda functions must be in a Virtual Private Cloud (VPC) for security reasons.
| Rule | Lambda functions should be in a VPC |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Low |
Rule Description:
Lambda functions should be configured to run within a Virtual Private Cloud (VPC) to meet the security requirements of FedRAMP Moderate Revision 4.
Reasoning:
By running Lambda functions within a VPC, network traffic is isolated and controlled, providing an additional layer of security. This helps to protect sensitive information and prevents unauthorized access to the Lambda functions and associated resources.
Troubleshooting Steps:
If you encounter any issues while configuring Lambda functions within a VPC, follow these troubleshooting steps:
- 1.Ensure VPC availability: Verify that the VPC is correctly set up and available within the AWS account.
- 2.Check subnet configurations: Make sure the desired subnets within the VPC have been properly configured, including route tables, network access control lists (ACLs), and security groups.
- 3.Verify resources: Check if all required resources (such as NAT gateways, internet gateways, and endpoint services) are correctly configured within the VPC.
- 4.Review Lambda function settings: Double-check the Lambda function configuration to ensure that it is set to run within the desired VPC.
- 5.Troubleshoot connectivity: Use VPC Flow Logs and other network monitoring tools to identify any connectivity issues between the Lambda function and other resources within the VPC.
- 6.Review IAM roles and policies: Ensure that the appropriate IAM roles and policies are correctly assigned to the Lambda function and other resources within the VPC to allow for proper access.
Necessary Codes:
To configure a Lambda function to run within a VPC, you need to modify its settings using the AWS Command Line Interface (CLI) or AWS Management Console. Here is an example of the code required to configure a Lambda function within a VPC using the CLI:
aws lambda update-function-configuration --function-name <function-name> --vpc-config SubnetIds=<subnet-ids>,SecurityGroupIds=<security-group-ids>
Replace
<function-name><subnet-ids><security-group-ids>Step-by-Step Guide for Remediation:
Follow these steps to configure a Lambda function to run within a VPC:
- 1.
Determine the VPC details:
- Identify the target VPC where you want the Lambda function to run.
- Note down the subnet IDs and security group IDs within the VPC that should be associated with the Lambda function.
- 2.
Choose a method:
- Decide whether you want to use the AWS CLI or the AWS Management Console to configure the Lambda function.
- For CLI instructions, refer to the console command provided earlier.
- For console instructions, proceed to the next step.
- 3.
Configure Lambda function using the AWS Management Console:
- Open the AWS Management Console and navigate to the Lambda service.
- Locate the desired Lambda function and select it.
- In the function's configuration page, scroll down to the "Network" section.
- Click on "Edit" to modify the VPC configuration.
- Select the desired subnets from the available list to associate them with the Lambda function.
- Choose the required security groups from the available options.
- Click on "Save" to apply the changes.
- 4.
Test the configuration:
- Once the configuration is saved, initiate test invocations of the Lambda function to ensure it is functioning as expected within the VPC.
- Monitor CloudWatch logs and other relevant metrics to validate its performance within the VPC.
By following these steps, you can successfully configure a Lambda function to run within a VPC, meeting the FedRAMP Moderate Revision 4 requirements.